On Sat, Apr 10, 2021 at 02:08:30PM -0400, Viktor Dukhovni wrote: > Ben's claim that CAs are "more secure" than DNSSEC is demonstrably > in error in a world where all that CAs do is issue DV certs that > attest to "domain control". > > If you don't trust the ICANN root, you can't trust DV certs, since > all they do is memoise some DNS-derived data you don't trust. Indeed > it takes DNSSEC (and CAs honouring DNSSEC-signed CAA records) to somewhat > improve the rather weak assurance that DV provides. > > Perhaps CT adequately hardens this model for Google's domains, if > they're sufficiently vigilant to detect unauthorised certificate > issuance (after the fact), but for the rest of us, tracking the > CT logs is not actually practical. Indeed, CT works only if people bother to do enough log checking to increase the risk -real and perceived- to malefactors with access to CA credentials. CT can fail to get there generally, leaving us with the same old name-constraint-less, multi-root WebPKI. CT is not the answer, and it's not even an answer. CT might help, and it's better than nothing, but it's certainly not better than also addressing the other issues, and it's not better than only addressing the other issues either. If QUIC were to depend on DANE, the result would be a shot in the arm to DNSSEC deployment, which would instantly address the two biggest problems with WebPKI. Nico --